b'OFFICE OF INSPECTOR GENERAL\n\n              Audit Report\n\nAudit of the Business Process Controls in the\n  Financial Management Integrated System\n\n\n              Report No. 14-10\n              August 01, 2014\n\n\n\n\nRAILROAD RETIREMENT BOARD\n\x0c                                         EXECUTIVE SUMMARY\n\nThe Railroad Retirement Board, Office of Inspector General conducted an audit\nto assess the adequacy of the selected business process controls in the\nFinancial Management Integrated System (FMIS) for the financial management\nactivities of budget formulation and execution, general ledger, and reporting.\n\nKey Findings\n\nWe determined that a significant deficiency exists for the business process\ncontrols in FMIS based on our audit findings, which are summarized below. 1\n\n\xe2\x80\xa2   The selected business process controls for the financial management\n    activities in the general ledger were not operating and effective for the\n    preparation and approval process for accounting transactions. We identified\n    34 accounting transaction errors, which were not considered valid or\n    confidential for the selected controls. Twenty four of those transactions,\n    totaling approximately $1.6 billion, had partial or no supporting\n    documentation, making their financial recording questionable. We estimated\n    that there are 197 accounting transaction errors in the universe of accounting\n    transactions prepared by the Bureau of Fiscal Operations (BFO) from\n    October 2013 through March 2014 (see Appendices I through III for more\n    information).\n\xe2\x80\xa2   BFO had not clearly documented or maintained policies and procedures for\n    FMIS transaction processing. They had also not been updated to incorporate\n    changes that have taken place since FMIS became operational.\n\xe2\x80\xa2   Transactions were modified by the Financial Systems Manager contrary to\n    BFO policy and FMIS security profiles were not always appropriate.\n\nKey Recommendations\n\nTo address the identified weaknesses, we recommend that BFO:\n\n    \xe2\x80\xa2    improve controls to ensure the validity of the transaction by attaching\n         sufficient supporting documentation in FMIS;\n    \xe2\x80\xa2    develop policies and procedures specific for FMIS and update current\n         ones to incorporate FMIS;\n    \xe2\x80\xa2    update the BFO Accounting Procedures Guide to document the policy\n         prohibiting administrators of BFO systems from entering, approving, or\n         modifying FMIS transactions; and\n\n1\n A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less\nsevere than a material weakness, yet important enough to merit attention by those charged with\ngovernance.\n\n\n\n                                                         i\n\x0c   \xe2\x80\xa2   review and revise FMIS security roles to ensure that the principles of\n       segregation of duties is established and to ensure that only authorized\n       personnel can initiate and view appropriate transactions.\n\nManagement Responses\n\nThe Bureau of Fiscal Operations concurred with these recommendations.\n\nThe full text of agency management\xe2\x80\x99s response is included in this report as\nAppendix IV.\n\n\n\n\n                                        ii\n\x0c                                          TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY ....................................................................................... i\n\nINTRODUCTION\n  Background ....................................................................................................... 1\n  Audit Objective .................................................................................................. 2\n  Scope ................................................................................................................ 2\n  Methodology ...................................................................................................... 2\n\nRESULTS OF AUDIT\n  General Ledger Controls ................................................................................... 5\n     Partial or No Supporting Documentation ........................................................ 5\n       Recommendations ....................................................................................... 6\n       Management\xe2\x80\x99s Response ............................................................................ 6\n     Personally Identifiable Information in FMIS Support....................................... 6\n       Recommendations ....................................................................................... 7\n       Management\xe2\x80\x99s Response ............................................................................ 7\n     No Audit Trail for Reversal ............................................................................. 7\n       Recommendation ......................................................................................... 8\n       Management\xe2\x80\x99s Response ............................................................................ 8\n  Policies and Procedures .................................................................................... 8\n     FMIS Procedures Need to be Documented .................................................... 8\n     Policies and Procedures Need to be Updated ................................................ 9\n       Recommendations ....................................................................................... 9\n       Management\xe2\x80\x99s Response ............................................................................ 9\n  Transactions Modified by Prohibited Personnel................................................. 9\n       Recommendation ....................................................................................... 10\n       Management\xe2\x80\x99s Response .......................................................................... 10\n  FMIS Security Profiles Need Review ............................................................... 10\n       Recommendation ....................................................................................... 11\n       Management\xe2\x80\x99s Response .......................................................................... 11\n\n\n\n\n                                                           iii\n\x0cAPPENDICES\n Appendix I - Accounting Transaction Sample Testing ..................................... 12\n Appendix II - Budgetary Transaction Sample Testing ...................................... 15\n Appendix III - Estimated Impact of Supporting Documentation Errors ............. 17\n Appendix IV - Management Response ............................................................ 18\n\n\n\n\n                                               iv\n\x0c                                 INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of\nthe business process controls in the Financial Management Integrated System\n(FMIS).\n\nBackground\n\nThe Railroad Retirement Board (RRB) is an independent agency in the executive\nbranch of the Federal government. The RRB administers the retirement/survivor\nand unemployment/sickness insurance benefit programs for railroad workers and\ntheir families under the Railroad Retirement Act and the Railroad Unemployment\nInsurance Act. The RRB paid $11.7 billion in retirement/survivor benefits and\n$84.5 million in unemployment and sickness insurance benefits during fiscal\nyear (FY) 2013.\n\nThe RRB uses its financial management system to record financial transactions\nto support the preparation and reporting of the agency\xe2\x80\x99s annual financial\nstatements, which includes the Balance Sheet and the Statements of Net Cost,\nChanges in Net Position, and Budgetary Resources. In October 2013, the RRB\ntransitioned from an older financial management system, the Federal Financial\nSystem (FFS), to FMIS.\n\nFMIS has various types of controls, including business process controls, which\nare the automated and manual controls applied to business transaction flows and\nrelate to the completeness, accuracy, validity, and confidentiality of transactions\nand data during processing. FMIS contains components for budget formulation\nand execution, general ledger, medical exams and consulting opinions,\nprocurement, accounts payable, accounts receivable, and reporting. The Bureau\nof Fiscal Operations (BFO) is responsible for FMIS, which was developed by a\nthird-party contractor.\n\nGuidance for information system control audits conducted in accordance with\ngenerally accepted government auditing standards is provided in the\nGovernment Accountability Office\xe2\x80\x99s (GAO) Federal Information System Controls\nAudit Manual (FISCAM), which identifies the four critical elements of business\nprocess controls as the following:\n\n   \xe2\x80\xa2   transaction data input is complete, accurate, valid, and confidential;\n   \xe2\x80\xa2   transaction data processing is complete, accurate, valid, and confidential;\n   \xe2\x80\xa2   transaction data output is complete, accurate, valid, and confidential; and\n   \xe2\x80\xa2   master data setup and maintenance is adequately controlled.\n\n\n\n\n                                         1\n\x0cThis audit directly supports the OIG\xe2\x80\x99s understanding of the FMIS business\nprocess controls related to the mandated annual financial statement audit.\n\nAudit Objective\n\nThe audit objective was to assess the adequacy of selected business process\ncontrols in FMIS for the financial management activities of budget formulation\nand execution, general ledger, and reporting.\n\nScope\n\nThe scope of the audit was the FMIS business process controls for October 2013\nthrough March 2014.\n\nA limitation on the scope of our audit procedures occurred regarding the\nStatement of Budgetary Resources, which we were unable to audit because it\nwas not prepared by BFO during our scope period. Another scope limitation was\nthe accounting transactions that BFO prepares and records in FMIS for the\nNational Railroad Retirement Investment Trust (NRRIT) which we could not audit\ndue to the provisions provided in the Railroad Retirement and Survivors\xe2\x80\x99\nImprovement Act of 2001 (Public Law 107-90). Under that law, the NRRIT is not\na department, agency or instrumentality of the Government of the United States\nand therefore is exempt from compliance with Title 31, United States Code which\ngoverns the monetary and financial operations of the Federal government. The\nlaw requires that the NRRIT annually engage an independent, qualified public\naccountant to audit its financial statements. As such, NRRIT transactions that\nwere selected in our random samples were replaced with other transactions (see\nAppendices I through III for additional information).\n\nMethodology\n\nTo accomplish the audit objective, we:\n   \xe2\x80\xa2   identified applicable FISCAM criteria and other guidance;\n   \xe2\x80\xa2   reviewed agency policies and procedures;\n   \xe2\x80\xa2   interviewed agency staff;\n   \xe2\x80\xa2   conducted walkthroughs;\n   \xe2\x80\xa2   identified and tested FMIS business process controls; and\n   \xe2\x80\xa2   tested a random sample of accounting and budgetary transactions\n       recorded in the general ledger to determine whether the controls over\n       voucher preparation and the review and approval process are operating\n       and effective.\n\n\n\n\n                                         2\n\x0cTo assess the reliability of the FMIS data, we:\n\n   \xe2\x80\xa2   compared data elements in FMIS with the corresponding data in FFS from\n       the prior year, and the United States Standard General Ledger;\n   \xe2\x80\xa2   compared FY 2014 FMIS beginning balances with FY 2013 FFS ending\n       balances;\n   \xe2\x80\xa2   reviewed the completeness of transaction information;\n   \xe2\x80\xa2   conducted interviews with financial management personnel regarding data\n       integrity; and\n   \xe2\x80\xa2   tested the accuracy of document numbers in FMIS.\n\nWe determined that the FMIS data was sufficiently reliable for the purposes of\nthis audit.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective.\nExcept for the scope limitations described on the previous page, we believe that\nthe evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objective.\n\nWe conducted our fieldwork at RRB headquarters in Chicago, Illinois from\nJanuary 2014 through May 2014.\n\n\n\n\n                                         3\n\x0c                                         RESULTS OF AUDIT\n\nOur audit determined that the business process controls in FMIS for the financial\nmanagement activities of budget formulation and execution, and reporting for the\nfinancial statements are operating and effective. However, the business process\ncontrols for the financial management activities of general ledger transaction\npreparation and the approval process are not operating or effective for accounting\ntransactions.\n\nWe determined that a significant deficiency exists for the business process controls in\nFMIS. 2 Our random sample, designed to test whether controls over accounting and\nbudgetary transaction preparation and the approval process are operating and effective,\nidentified 34 accounting transaction errors, 24 of which affect financial reporting validity\ndue to partial supporting documentation or no supporting documentation (see Appendix\nI and II for details). We estimated that there could be 197 accounting transaction errors\nin the universe of accounting transactions for the period of October 1, 2013 through\nMarch 31, 2014 (see Appendix III for details).\n\nWe also found that:\n\n    \xe2\x80\xa2    personally identifiable information (PII) had not been redacted on two\n         attachments provided in FMIS;\n    \xe2\x80\xa2    one transaction did not provide an audit trail;\n    \xe2\x80\xa2    BFO policies and procedures regarding FMIS have not been documented or are\n         not clearly documented and maintained;\n    \xe2\x80\xa2    five transactions were modified by the Financial Systems Manager; and\n    \xe2\x80\xa2    FMIS security access profiles need to be reviewed and revised.\n\nThe assessments provided above are in correlation with the four critical elements of the\nFISCAM business process controls:\n\n    \xe2\x80\xa2    transaction data input which includes supporting documentation was accurate\n         and complete, but not always valid or confidential;\n    \xe2\x80\xa2    transaction data processing was accurate, valid, complete and confidential;\n    \xe2\x80\xa2    transaction data output which includes financial statements was accurate, valid,\n         and confidential, but not always complete because the Statement of Budgetary\n         Resources was not completed prior to the end of fieldwork so we were not able\n         to provide an assessment with respect to the budgetary financial statement; and\n.\n\n\n2\n A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a\nmaterial weakness, yet important enough to merit attention by those charged with governance.\n\n                                                             4\n\x0c       \xe2\x80\xa2   master data setup and maintenance were adequately controlled, however,\n           improvements are needed for documentation of control procedures and security\n           profiles.\n\nThe details of the audit findings and recommendations for corrective action follow. The\nfull text of management\xe2\x80\x99s responses is presented as Appendix IV in this report.\n\n\nGeneral Ledger Controls\n\nThe selected business process controls for the financial management activities in the\ngeneral ledger were not operating and effective for the preparation and approval\nprocess for accounting transactions. Our review also identified a lack of an audit trail for\na portion of a beginning balance.\n\nOur random sample of 135 budgetary and accounting general ledger transactions\nidentified 34 accounting transaction errors (25.2%) which were not considered valid or\nconfidential for the selected controls.\n\n       \xe2\x80\xa2   Twenty-four transactions had partial supporting documentation or no\n           documentation which makes the financial recording questionable. These\n           transactions totaled approximately $1.6 billion. 3 We estimated that there are 197\n           accounting transaction errors without adequate support in the universe (see\n           Appendices I through III for more information).\n       \xe2\x80\xa2   Eight transactions did not contain the Document Checklist that summarizes the\n           required support as required by BFO guidance.\n       \xe2\x80\xa2   Two transactions contained PII in the supporting documentation maintained in\n           FMIS, contrary to BFO procedure.\n\nPartial or No Supporting Documentation\n\nOur review of FMIS transactions identified instances where the supporting\ndocumentation was inadequate or missing. Documentation for 23 transactions was\ninadequate and there was no support for 1 transaction. When support for this\ntransaction was requested, BFO could not provide it. For eight other transactions, a\nrequired document checklist was missing from the support.\n\nThe GAO Standards for Internal Control in the Federal Government (Standards) state\nthat internal control and all transactions and other significant events need to be clearly\ndocumented, and the documentation should be readily available for examination.\nBFO\xe2\x80\x99s Accounting Procedure Guide (APG) requires approvers to review transactions\nand supporting documentation to ensure completeness and accuracy.\n\n\n3\n    This amount represents the monetary total for the 24 transactions.\n\n                                                            5\n\x0cThese errors occurred because BFO staff did not create or attach the proper supporting\ndocumentation in FMIS due to oversight. In addition, BFO approvers did not properly\nreview the FMIS transactions to ensure that support was complete and accurate.\n\nThe risk of errors in FMIS financial data increases when the validity of transactions\ncannot be determined due to inadequate or missing support.\n\nRecommendations\n\nWe recommend that the Bureau of Fiscal Operations:\n\n    1. improve controls to ensure the validity of the transaction by attaching sufficient\n       supporting documentation in FMIS; and\n\n    2. improve controls so that the review and approval process ensures that the\n       supporting documentation is complete and accurate.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations concurred with these recommendations.\n\n\nPersonally Identifiable Information in FMIS Support\n\nConfidentiality with regard to PII was not always protected in supporting documentation\nin FMIS. We found PII in the supporting attachments maintained in FMIS for two\ntransactions.\n\nThe RRB\xe2\x80\x99s Rules of Behavior for Information Technology Systems states that access to\nconfidential, sensitive, or PII must be restricted to authorized individuals who need it to\nconduct their jobs. 4 This entails refraining from intentional disclosure and using\nmeasures to guard against accidental disclosure.\n\nAdditionally, BFO\xe2\x80\x99s APG states that PII on any supporting documentation should be\nblacked out with a marker before being scanned and attached to FMIS transactions.\n\nThe PII within these documents were not identified by the preparer due to the volume of\nthe supporting documentation and the approver did not review the attachments\nthoroughly.\n\n\n\n4\n  According to the Office of Management and Budget (OMB) \xe2\x80\x9cthe term PII means any information about an individual\nmaintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal\nor employment history and information which can be used to distinguish or trace and individual\xe2\x80\x99s identity, such as\ntheir name, social security number, date and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including\nany other personal information which is linked or linkable to an individual.\xe2\x80\x9d OMB M-06-19 (Washington D.C.: July 12,\n2006).\n\n                                                           6\n\x0cBecause the transaction preparer neglected to redact the PII and the approver did not\nreview attachments for PII thoroughly, anyone who has access to view FMIS\nattachments could view the PII and potentially use the information for unlawful\npurposes.\n\nRecommendations\n\nWe recommend that the Bureau of Fiscal Operations:\n\n   3. redact the PII from the two FMIS transactions cited in this finding; and\n\n   4. strengthen controls to ensure that preparers redact all PII and approvers\n      thoroughly review support for PII.\n\nManagement\xe2\x80\x99s Response\n\nIn regard to Recommendation 3, the Bureau of Fiscal Operations stated that they will\nredact the PII from the two FMIS transactions cited in this finding.\n\nIn regard to Recommendation 4, the Bureau of Fiscal Operations stated that they have\nstrengthened controls regarding PII. The Bureau of Fiscal Operations stated that they\nissued a memorandum to Bureaus and Offices requesting that the paper documents\nthat they provide to the Bureau of Fiscal Operations for recording transactions in FMIS\nshould not contain PII.\n\nNo Audit Trail for Reversal\n\nDuring our review of FMIS opening balances, we identified a portion of a beginning\nbalance, approximately $17.3 million, that wasn\xe2\x80\x99t supported by a journal voucher\ntransaction. Therefore, the recorded balance in the general ledger did not include a\nproper audit trail.\n\nAccording to BFO\xe2\x80\x99s APG, preparers of the affected financial statements are to post\nadjusting journal entries to their respective spreadsheets. The Accounting Officer will\ncheck spreadsheets to ensure entries are properly cross-footed and that cross checks\nare intact.\n\nWhile BFO explained that this was an automatic reversal, which would not require\nsupporting documentation, we were unable to locate any evidence that this was an\nautomatic reversal generated by FMIS. This was also inconsistent with how a similar\nreversing entry was documented.\n\nWithout the proper documentation, there is no audit trail for the balances being recorded\nin the general ledger, increasing the likelihood of inaccuracies.\n\n\n\n\n                                            7\n\x0cRecommendation\n\nWe recommend that the Bureau of Fiscal Operations:\n\n   5. document all changes to balances in the general ledger, excluding automatic\n      reversals, by preparing a journal voucher with adequate support.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations concurred with this recommendation.\n\n\nPolicies and Procedures\n\nWe found that policies and procedures for FMIS internal controls and transactions are\nnot clearly documented or maintained by BFO.\n\nAccording to GAO Standards, internal control and all transactions and other significant\nevents need to be clearly documented, and the documentation should be readily\navailable for examination.\n\nThe documentation should appear in management directives, administrative policies, or\noperating manuals and may be in paper or electronic form. All documentation and\nrecords should be properly managed and maintained.\n\nAgency management stated that policies and procedures specific for FMIS had not\nbeen prepared, and existing ones had not been updated, due to time and personnel\nconstraints. When we inquired about their written policies and procedures, BFO stated\nthat the documentation could be found in an online help tool accessible through FMIS.\nThe online help is not specific for FMIS policies and procedures for the RRB.\n\nFMIS Procedures Need to be Documented\n\nThe RRB did not have documented policies and procedures that are tailored for FMIS\ntransaction processing, which include:\n\n   \xe2\x80\xa2   review and approval of errors that have been overridden;\n   \xe2\x80\xa2   master data change, approval, and maintenance;\n   \xe2\x80\xa2   review of processing results; and\n   \xe2\x80\xa2   budgetary transactions.\n\n\n\n\n                                           8\n\x0cPolicies and Procedures Need to be Updated\n\nWe found that not all of BFO\xe2\x80\x99s policies and procedures have been updated to reflect the\nchanges that have occurred since FMIS became operational.\nThe following written procedures still refer to FFS, and therefore, do not agree with\nFMIS processing:\n\n   \xe2\x80\xa2   Dual Benefit Payments, Program Accounts Receivable, and Cancelled Check\n       Operations reconciliations;\n   \xe2\x80\xa2   Standard Voucher and Journal Voucher process from preparation through\n       recording in FMIS;\n   \xe2\x80\xa2   Instructions for Adjusting Journal Entry Worksheet and Financial Statement\n       Checklists; and\n   \xe2\x80\xa2   Opening Balances.\n\nManagement\xe2\x80\x99s assertions cannot be validated without documented or updated policies\nand procedures. Policies and procedures help to ensure effective internal controls and\nsafeguard the integrity of financial data.\n\nRecommendations\n\nWe recommend that the Bureau of Fiscal Operations:\n\n   6. develop policies and procedures specific for FMIS; and\n\n   7. update current policies and procedures to incorporate FMIS.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations concurred with these recommendations.\n\n\nTransactions Modified by Prohibited Personnel\n\nWe found that the Financial Systems Manager in BFO inappropriately modified FMIS\ntransactions totaling approximately $41.1 million.\n\nAccording to GAO Standards, transactions and other significant events should be\nauthorized only by persons acting within the scope of their authority. BFO policy\nindicates that administrators of BFO systems are prohibited from entering, approving, or\nmodifying transactions in BFO systems.\n\nThis policy is not documented in the BFO APG. BFO explained that payroll transactions\nmodifications were necessary when FMIS was in its initial stages and that they were\nmade by the Financial Systems Manager.\n\n                                           9\n\x0cTransactions modified by personnel that do not have those responsibilities give the\nappearance of impropriety and there is also an increased risk the transactions may not\nbe properly prepared.\n\nRecommendation\n\nWe recommend that the Bureau of Fiscal Operations:\n\n   8. update the BFO APG to document the policy prohibiting administrators of BFO\n      systems from entering, approving, or modifying FMIS transactions.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations concurred with this recommendation.\n\n\nFMIS Security Profiles Need Review\n\nSome of the current security profiles in FMIS did not follow the principles of segregation\nof duties or the proper execution of transactions. We identified certain FMIS security\nprofiles that could allow:\n\n    \xe2\x80\xa2   users to initiate and approve their own transactions because they have more\n        than one set of access privileges;\n    \xe2\x80\xa2   non-RRB employees (contractors) to initiate and view certain transactions; and\n    \xe2\x80\xa2   non-BFO employees to initiate certain transactions.\n\nAccording to GAO Standards, key duties and responsibilities need to be divided or\nsegregated among different people to reduce the risk of errors or fraud. This should\ninclude separating the responsibilities for preparing and approving the transactions. No\none individual should control all key aspects of a transaction or event. Transactions and\nother significant events should be authorized only by persons acting within the scope of\ntheir authority.\n\nSome of the access privileges do not adhere to the necessary internal controls because\nthey were not reviewed for these principles when the security profiles were established\nin FMIS. The security profiles in FMIS were created based on the access privileges that\nexisted in FFS when the systems transition took place. In addition, we were informed\nthat access privileges set up for FMIS test purposes may not have been updated when\nthose privileges were no longer needed.\n\nWith the current security profile structure, the integrity of FMIS financial transactions,\nand the RRB\xe2\x80\x99s financial statements, could be at risk.\n\n\n\n                                             10\n\x0cRecommendation\n\nWe recommend that the Bureau of Fiscal Operations:\n\n   9. review and revise FMIS security roles to ensure that the principles of segregation\n      of duties is established and to ensure that only authorized personnel can initiate\n      and view appropriate transactions.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations concurred with this recommendation. The Bureau of\nFiscal Operations stated that they will work with the third-party provider to generate a\nreport/query suitable for review by RRB business managers to ensure that segregation\nof duties is established in their business organizations, and to ensure that only\nauthorized personnel in those business organizations can initiate and view transactions.\n\n\n\n\n                                          11\n\x0c                   SAMPLING METHODOLOGY AND RESULTS                            Appendix I\n                  ACCOUNTING TRANSACTION SAMPLE TESTING\n\n\nThis appendix presents the methodology and results of our non-statistical sampling to\nassess the adequacy of manual and automated internal controls related to the recording\nof accounting transactions in FMIS which includes standard vouchers (SVs) and journal\nvouchers (JVs).\n\nSample Objective\n\nOur sampling objective is to assess the adequacy of the selected business process\ncontrols for the financial management activities in the general ledger and specifically to\ndetermine whether controls over accounting transaction preparation and the approval\nprocess are operating and effective.\n\nScope\n\nThe scope was SVs and JVs recorded in FMIS from October 1, 2013 through\nMarch 31, 2014. All such units in the universe were subject to selection.\n\nReview Methodology\n\nWe used random sampling for tests of controls using a 90% confidence level and 10%\ntolerable rate which directed a 90 case sample. The acceptable number of deviations\nwas one error. One error would permit the auditors to infer, with a 90% confidence\nlevel, that controls were adequate to ensure accuracy, validity, completeness, and\nconfidentiality of processing.\n\nAccuracy\n\nWe tested for accuracy by determining whether the correct accounts were\ndebited/credited with the pre-defined accounting transaction (SVs only) and support\ndocuments agreed to the SVs or JVs.\n\nValidity\n\nWe tested validity by determining if source documents adequately support the\ntransaction. We also tested whether the transaction was prepared by the assigned\npreparer and approved by the designated approver and the transaction was approved\nby an individual other than the preparer.\n\nCompleteness\n\nWe tested for completeness by determining that the transaction was only processed\nonce.\n\n\n\n\n                                            12\n\x0c                        SAMPLING METHODOLOGY AND RESULTS                                             Appendix I\n                       ACCOUNTING TRANSACTION SAMPLE TESTING\n\n\nConfidentiality\n\nWe tested to determine if PII was visible within the transaction or corresponding\nsupport.\n\nResults of Review\n\nWe tested the 90 randomly selected accounting transactions for the following attributes\nrelated to internal controls over transaction processing in FMIS. 5\n\n\n\n\n                                                                                                             Exceptions\n                                                                                                Exceptions\n                                                                                       Tested\n\n\n                                                                                                  Non-\n                      Business Process Controls\n\n\n\nTest attributes\n\n    Accuracy\n    \xe2\x80\xa2 Correct accounts were debited/credited (SVs only)                                   45         45               0\n\n    Validity\n    \xe2\x80\xa2 Source documents were available and/or adequate                                     90         66         24\n    \xe2\x80\xa2 Document Checklist included (SVs only)                                              45         37          8\n    \xe2\x80\xa2 Transaction was prepared by the assigned individual                                 90         90          0\n    \xe2\x80\xa2 Transaction was approved by the designated approver                                 90         90          0\n    \xe2\x80\xa2 Transaction was approved by an individual other than the\n       preparer                                                                           90         90               0\n\n    Completeness\n    \xe2\x80\xa2 Transaction is unique, only processed once                                          90         90               0\n\n    Confidentiality\n    \xe2\x80\xa2 PII was not visible (SVs only)                                                      45         43               2\n\n                                                            Total Exceptions                                    34\n\n\n\n\n5\n Two NRRIT transactions (fund 8118) in the original sample were replaced with two new samples; although BFO\nprepared accounting transactions for the fund, the OIG has no audit authority per the Railroad Retirement and\nSurvivors\xe2\x80\x99 Improvement Act of 2001.\n\n                                                       13\n\x0c                   SAMPLING METHODOLOGY AND RESULTS                            Appendix I\n                  ACCOUNTING TRANSACTION SAMPLE TESTING\n\nAudit Conclusion\n\nOur evaluation of 90 accounting transactions identified 34 transactions (37.8%) where\nthe source documents were either not available, not adequate to validate the\ntransaction, missing the Document Checklist, or where the transaction support\ncontained PII. As a result, we cannot conclude that the business process controls for\nfinancial management activities in the general ledger over accounting transaction\npreparation and the approval process are operating and effective.\n\nOf the 34 exceptions, we determined that 24 affect the validity of the financial reporting.\nNo exceptions were identified for completeness from these tests.\n\nBecause of the number of exceptions and the nature of the weaknesses underlying the\ndelays, we did not expand testing to determine whether a larger sample would yield a\ndifferent result.\n\n\n\n\n                                            14\n\x0c                   SAMPLING METHODOLOGY AND RESULTS                           Appendix II\n                  BUDGETARY TRANSACTION SAMPLE TESTING\n\n\nThis appendix presents the methodology and results of our non-statistical sampling to\nassess the adequacy of manual and automated internal controls related to the recording\nof budgetary transactions in FMIS. Budgetary transactions include appropriations,\napportionments, allotments, and reprogramming.\n\nSample Objective\n\nOur sampling objective is to assess the adequacy of the selected business process\ncontrols for the financial management activities in the general ledger and specifically to\ndetermine whether controls over the budgetary transaction preparation and the approval\nprocess are operating and effective.\n\nScope\n\nThe scope was budgetary transactions recorded in FMIS from the October 1, 2013\nthrough March 31, 2014. All such units in the universe were subject to selection.\n\nReview Methodology\n\nWe used random sampling for tests of controls using a 90% confidence level and 10%\ntolerable rate which directed a 45 case sample. The acceptable number of deviations\nwas one error. One error would permit the auditors to infer, with a 90% confidence\nlevel, that controls were adequate to ensure accuracy, validity, completeness, and\nconfidentiality of processing.\n\nAccuracy\n\nWe tested for accuracy by determining whether the correct accounts were\ndebited/credited with the pre-defined accounting transaction and support documents\nagreed to standard voucher.\n\nValidity\n\nWe tested validity by determining if source documents adequately support the\ntransaction. We also tested whether the transaction was prepared by the assigned\npreparer and approved by the designated approver and the transaction was approved\nby an individual other than the preparer.\n\nCompleteness\n\nWe tested for completeness by determining that the transaction was only processed\nonce.\n\n\n\n\n                                           15\n\x0c                        SAMPLING METHODOLOGY AND RESULTS                                              Appendix II\n                       BUDGETARY TRANSACTION SAMPLE TESTING\n\n\nResults of Review\n\nWe tested the 45 randomly selected budgetary transactions for the following attributes\nrelated to business process controls over transaction processing in FMIS. 6\n\n\n\n\n                                                                                                             Exceptions\n                                                                                                Exceptions\n                                                                                       Tested\n\n\n                                                                                                  Non-\n                      Business Process Controls\n\n\n\nTest attributes\n\n    Accuracy\n    \xe2\x80\xa2 Correct accounts were debited/credited                                              45         45               0\n\n    Validity\n    \xe2\x80\xa2 Source documents were available and/or adequate                                   45           45               0\n    \xe2\x80\xa2 Document Checklist not included                                                   NA\n    \xe2\x80\xa2 Transaction was prepared by the assigned individual                               45           45               0\n    \xe2\x80\xa2 Transaction was approved by the designated approver                               45           45               0\n    \xe2\x80\xa2 Transaction was approved by an individual other than the\n       preparer                                                                           45         45               0\n\n    Completeness\n    \xe2\x80\xa2 Transaction is unique, only processed once                                          45         45               0\n\n    Confidentiality\n    \xe2\x80\xa2 PII was not visible                                                               NA\n\n                                                            Total Exceptions                                          0\n\n\nAudit Conclusion\n\nOur evaluation of 45 budgetary transactions did not identify any exceptions. As a result,\nwe can conclude that the business process controls for financial management activities\nin the general ledger over budgetary transaction preparation and the approval process\nare operating and effective.\n\n\n\n6\n Two NRRIT transactions (fund 8118) in the original sample were replaced with two new samples; although BFO\nprepared accounting transactions for the fund, the OIG has no audit authority per the Railroad Retirement and\nSurvivors\xe2\x80\x99 Improvement Act of 2001.\n\n\n                                                       16\n\x0c                   ESTIMATED IMPACT OF SUPPORTING                           Appendix III\n                        DOCUMENTATION ERRORS\n\n\nThe table below shows the estimated impact of supporting documentation errors. There\nwas a universe of 1,142 accounting and budgetary transactions. The accounting\ntransaction error rate was 17.8% (24/135) for supporting documentation errors.\n\nNRRIT transactions were part of the universe, but not included in our testing. We\nreplaced four NRRIT transactions encountered in our sample. In order to get an\naccurate projection, we estimated the number of NRRIT transactions in the universe\nand subtracted them from our calculations. When projected to the universe, there\nwould be 197 supporting documentation error transactions in the universe (1,108 x\n17.8%).\n\nTransaction Type         Accounting Transactions            Budgetary           Total\n                          SVs             JVs\nUniverse                      451                326                365              1,142\nSample Size                     45                45                 45                135\nNRRIT\ntransactions in                    1                  1                 2                  4\nsample\n\n% of NRRIT transactions in sample                                 4/135                 3.0%\n\n   Projected number of NRRIT\n   transactions in the universe                            1,142 x 3.0%                    34\n\nUniverse less NRRIT transactions                               1,142-34              1,108\n\n  % of supporting documentation\n         errors in sample                                        24/135             17.8%\n\n   Projected errors per universe\n     less NRRIT transactions                              1,108 x 17.8%                   197\n\nWe did not project any monetary impact due to the variability of the errors identified.\n\n\n\n\n                                            17\n\x0c                                                                               Appendix IV\n\n\n                   UNITED STATES GOVERNMENT                                 FORM G-115f (1-92)\n                                                              RAILROAD RETIREMENT BOARD\n                MEMORANDUM\n\n\n\n                                                               July 31, 2014\n\nTO         :   Daniel Eckert\n               Acting Assistant Inspector General for Audit\n\n\nFROM       :   George V. Govan\n               Chief Financial Officer\n\n\nSUBJECT: Draft Report \xe2\x80\x93 Audit of the Business Process Controls in the\n         Financial Management Integrated System\n\n\nThis is in response to your request for comments on the above draft audit report.\nFollowing are my comments on recommendations addressed to the Bureau of Fiscal\nOperations.\n\nWe recommend that the Bureau of Fiscal Operations:\n\n     1. improve controls to ensure the validity of the transaction by attaching\n        sufficient supporting documentation in FMIS.\n\n        We concur. We will improve controls to ensure the validity of the transaction by\n        attaching sufficient supporting documentation in FMIS.\n\n        Target Completion Date: December 2014\n\n     2. improve controls so that the review and approval process ensures that the\n        supporting documentation is complete and accurate.\n\n        We concur. We will improve controls so that the review and approval process\n        ensures that the supporting documentation is complete and accurate.\n\n        Target Completion Date: December 2014\n\n     3. redact the PII from the two FMIS transactions cited in this finding.\n\n        We concur. We will redact the PII from the two FMIS transactions cited in this\n        finding.\n\n\n\n\n                                            18\n\x0c                                                                        Appendix IV\n                                      -2-\n\n\n4. strengthen controls to ensure that preparers redact all PII and approvers\n   thoroughly review support for PII.\n\n   We have strengthened controls regarding PII. On July 14, 2014, I sent a\n   memorandum to Bureaus and Offices requesting that the paper documents that\n   they provide BFO for recording transactions in FMIS should not contain any PII.\n\n5. document all changes to balances in the general ledger, excluding\n   automatic reversals, by preparing a journal voucher with adequate support.\n\n   We concur. We will document all changes to balances in the general ledger,\n   excluding automatic reversals, by preparing a journal voucher with adequate\n   support.\n\n   Target Completion Date: December 2014\n\n6. develop policies and procedures specific for FMIS.\n\n   We concur. We will develop policies and procedures specific for FMIS.\n\n   Target Completion Date: February 2015\n\n7. update current policies and procedures to incorporate FMIS.\n\n   We concur. We will update current policies and procedures to incorporate FMIS.\n\n   Target Completion Date: February 2015\n\n8. update the BFO Accounting Procedures Guide to document the policy\n   prohibiting administrators of BFO systems from entering, approving, or\n   modifying FMIS transactions.\n\n   We concur. We will update the BFO Accounting Procedures Guide to document\n   the policy prohibiting administrators of BFO systems from entering, approving, or\n   modifying FMIS transactions.\n\n   Target Completion Date: August 2014\n\n9. review and revise FMIS security roles to ensure that the principles of\n   segregation of duties is established and to ensure that only authorized\n   personnel can initiate and view appropriate transactions.\n\n   We concur. BFO will work with CGI to generate a report/query suitable for\n   review by RRB business managers to ensure that segregation of duties is\n   established in their business organizations, and to ensure that only authorized\n   personnel in those business organizations can initiate and view transactions.\n\n   Target Completion Date: October 31, 2014\n\n\n                                       19\n\x0c                                                                     Appendix IV\n                                          -3-\n\n\nIf there is any additional information you need, please advise me.\n\ncc: Tom McCarthy, Chief of TADS\n    Kris Garmager\n    John Walter, Chief of ABFM\n    Shirley Bayliff\n    Rich Lannin\n    Herbert Kwan\n    Ralph Brandt\n    Elizabeth Stubits\n    Debra Stringfellow-Wheat, Supervisory Auditor\n\n\n\n\n                                          20\n\x0c'